From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Wed, 20 Oct 2021 23:52:07 +0000 (+1300)
Subject: CVE-2020-25722 s4/dsdb/samldb: samldb_fsmo_role_owner_check() wants one value
X-Git-Tag: samba-4.13.14~98
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2a57c6e2f6a11698054afb2d9b173e5627eabb89;p=thirdparty%2Fsamba.git

CVE-2020-25722 s4/dsdb/samldb: samldb_fsmo_role_owner_check() wants one value

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index d75277b3853..810365ca030 100644
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -4315,6 +4315,9 @@ static int samldb_fsmo_role_owner_check(struct samldb_ctx *ac)
 		/* we are not affected */
 		return LDB_SUCCESS;
 	}
+	if (el->num_values != 1) {
+		goto choose_error_code;
+	}
 
 	/* Create a temporary message for fetching the "fSMORoleOwner" */
 	tmp_msg = ldb_msg_new(ac->msg);
@@ -4331,11 +4334,7 @@ static int samldb_fsmo_role_owner_check(struct samldb_ctx *ac)
 	if (res_dn == NULL) {
 		ldb_set_errstring(ldb,
 				  "samldb: 'fSMORoleOwner' attributes have to reference 'nTDSDSA' entries!");
-		if (ac->req->operation == LDB_ADD) {
-			return LDB_ERR_CONSTRAINT_VIOLATION;
-		} else {
-			return LDB_ERR_UNWILLING_TO_PERFORM;
-		}
+		goto choose_error_code;
 	}
 
 	/* Fetched DN has to reference a "nTDSDSA" entry */
@@ -4355,6 +4354,14 @@ static int samldb_fsmo_role_owner_check(struct samldb_ctx *ac)
 	talloc_free(res);
 
 	return LDB_SUCCESS;
+
+choose_error_code:
+	/* this is just how it is */
+	if (ac->req->operation == LDB_ADD) {
+		return LDB_ERR_CONSTRAINT_VIOLATION;
+	} else {
+		return LDB_ERR_UNWILLING_TO_PERFORM;
+	}
 }
 
 /*